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1. Scope 

This document establishes the User Manual for DarkSeaSkies 1.0. 


1.1 System Overview and Description 

DarkSeaSkies is an implant that persists in the EFI firmware of an Apple MacBook Air 
computer, installs a Mac OSX 10.5 kernel-space implant and executes a user-space 
implant. 

DarkSeaSkies consists of three different tools: 

1. DarkMatter: An EFI driver that persists in firmware and installs the other two 
tools. 

2. SeaPea: A Mac OSX kernel-space implant that executes, and provides stealth and 
privilege to user-space implants. 

3. NightSkies: A Mac OSX user-space implant that beacons to a listening post and 
provides command and control. 

This document describes the technical details DarkMatter, and that of SeaPea and 
NightSkies only where they differ from their documented user manuals. Refer to SeaPea 
User Manual for further information on SeaPea. Refer to NightSkies User Guide for 
further information on NightSkies. 

1.2 Assumptions and Constraints 

It is assumed that the target system is a MacBook Air version 1,1 running Mac OSX 
10. 5. 2-10. 5.x with firmware version MBA11.0088.B03. 

It is assumed that an operator or asset has one-time physical access to the target system 
and can boot the target system to an external flash drive. 

A constraint is that the DarkSeaSkies will not persist in the event of a firmware update. 

1.3 Conventions (Not Applicable) 

2. Applicable Documents 

The following documents, of the exact issue shown, form a part of this document to the 
extent specified herein. In the event of a conflict between the documents referenced 
herein and the contents of this document, the contents of this document will be 
considered binding. The following documents may be found at S:\DO\IOC\EDG 
ALLYEDG AE\Projects\: 

• SeaPea User Manual, Rev. 2.0, November 2008 

• NightSkies User Guide, Rev. 1.2, November 2008 

3. System Description 

3.1 Technical References 
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The following items are either configured or randomly generated for each 
deployment. Therefore the values are delivered as files rather than updated in this 
document for each deployment. 

> DarkSeaSkies Installer EFI file: 

0 Name: see file installer. name. 
o GUID: see file installer. guid. 

> DarkSeaSkies Implant: 

O The EFI implant name is in the file loader.name. 

0 The GUID is in the file loader. guid. 

0 The XXTEA key used to encrypt both NightSkies and SeaPea is in the file 
xxtea.key. 

> NVRAM Variables: 

O The NVRAM variables are obfuscated by using existing variable names 
and generating new random GUIDs for each delivery. 

0 We will refer to them as the conceptual italicized names (i.e. Status ) in 
this documentation; however, their true names and GUIDs on the target 
are documented below. 

0 Status indicates the status of the payload from the previous boot. 

■ The name of this variable is “SystemAudio Volume”. 

■ The GUID of this variable is in the file status.guid. 

■ Status has the following values. 

• ‘\0’ indicates an unknown status, for example the first boot 
after install 

• ‘0’ indicates that the user-space payload has been dropped 

• ‘1’ is reserved for future use 

• ‘2’ indicates that NightSkies has failed to execute properly. 

• ‘3’ indicates that the user-space payload executed 
successfully 

• ‘4’ indicates that the user-space payload encountered an 
error condition 

• ‘5’ indicates that DarkSeaSkies should uninstall itself and 
its payload 

• Any other value is equivalent to ‘5’. 

0 Count maintains a counter used to track the number of cautious boots. A 
cautious boot is defined fully below. If Count does not exist then it is 
assumed to be zero. 

■ The name of this variable is in the file warning_count.name. 

■ The GUID of this variable is in the file warning_count.guid. 

0 Limit indicates the value of Count at which DarkSeaSkies will uninstall 
itself and its payload. If Limit does not exist then a pre-configured value 
will be used. 

■ The name of this variable is in the file warning_threshold.name. 

■ The GUID of this variable is in the file warning_threshold.guid. 

■ The default value of Limit is in the file warning_threshold.value. 
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0 Configuration is the NVRAM variable that NightSkies uses to store its 
configuration. 

■ The name of this variable is in the file config.name. 

■ The GUID of this variable is in the file config.guid. 

■ The default configuration is described in the file config.plist. 

3.2 System Concepts and Capabilities 

DarkSeaSkies is an EFI implanted beacon (NightSkies) that is run in coordination with 
the SeaPea root-kit. All files, network connections, and processes associated with the 
NightSkies beacon are hidden by the SeaPea root-kit. The beacon and root-kit remain 
persistent across OS reboots, upgrades, and reinstalls. All files associated with 
DarkSeaSkies remain off disk with the following exception: during each boot NightSkies 
is written to disk in the /tmp directory in order to be executed, it is then securely deleted. 
Beacon transmissions by NightSkies occur only when a configurable time has elapsed 
and the target user is browsing with Safari or Firefox. The command and control beacon 
data is encrypted in an HTTP GET/POST request or response. 

3.3 Prerequisites 

Refer to NightSkies User Guide. 

3.4 Equipment Familiarization 

Refer to NightSkies User Guide. 

4. Operation 

4.1 Configuration 

DarkSeaSkies has the following configuration parameters. The values for a deployment 
are in the file config.plist unless specified otherwise. 

> NightSkies encryption pass phrase. This value is saved in Ip.password. 

> Enable date: date after which implant is enabled. 

> Default caution Limit: maximum number of cautious boots before uninstall. 

> Beacon URL: This is the URL the beacon will attempt to download. 

> Client ID: this is a unique identifier for the implant. 

> "Magic Link" String: as part of beaconing, the implant will look for this string in 
the php file in order to retrieve tasking. 

> Uninstall Interval: Time interval since last successful LP communication before 
uninstall. 

> Minimum Delay between beacons in seconds. 

> Failsafe attempt: beacon with out network checks. 

> Maximum Delay: if failsafe is enabled, this is the maximum amount of time in 
seconds we wait before attempting a failsafe beacon. 

> Applications used to detect activity. 
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4.2 Installation and Setup 

DarkSeaSkies is installed from a bootable flash drive. The following instructions detail 
how to make the installation flash drive from any Apple computer running Mac OSX 
10.5 (Leopard). 

1. Format flash drive: 

Open DiskUtility; select the flash drive; click on the “Partition” tab; select “1 
Partition” under “Volume Scheme”; click “Options” button; select “GUID 
Partition Table” radio button; edit “Name” field appropriately; select “Mac OS 
Extended (journaled)” as the “Format”; click “Apply”. 

2. Copy Installer EFI file to the flash drive. 

> cp I.efi /Volumes/I/I . efi 

3. Bless the Installer EFI file on the flash drive. 

> sudo bless --folder /Volumes/I/ --file 
/Volumes/I/I . efi --bootinfo 

The following message is expected and not an error. 

Can't load /Volues/I//usr/standalone/ppc/bootx . bootinfo 

4. Eject the flash drive. 

> diskutil eject /Volumes/I 

5. Insert the flash drive into the target. 

6. Boot the target system while holding the “option” key until the screen displays a 
boot drive selection menu. Select the flash drive. Once the DarkSeaSkies 
installer has started the screen will blank and a will appear in the upper left 
corner of the screen. Once the has appeared the flash drive may be removed 
and the laptop’s lid closed. On a successful installation a c )’ will follow the 
On an unsuccessful installation a ‘(‘ will follow the Once installation is 
complete the laptop will shutdown. If DarkSeaSkies has already been installed on 
the target with the same implant GUID then the implant will be updated. 

For installation and setup of the NightSkies LP refer to NightSkies User Guide. 

4.3 Initiating a Session 

Refer to NightSkies User Guide. 

4.4 Stopping and Suspending Work 

Refer to NightSkies User Guide. 

4.5 Contingencies and Alternate States and Modes of Operation 

DarkSeaSkies status may be queried by checking the value of the Status variable. This 
can be done with the nvram command line utility as follows: > nvram $(cat 
status. guid) :$(cat status . name), where status. guid is the GUID of 
the Status variable and status . name is the name of the Status variable as defined in 
section 3.1. Valid values of the Status variable and their meanings are also described in 
section 3.1. 

The Count variable may be queried to determine the number of continuous cautious boots 
that DarkSeaSkies has encountered. The Count variable is incremented during a boot in 
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which the Status variable does not exist or it exists but is not ‘3’. The Count variable is 
independently incremented in the case of a kernel panic. Therefore, if Status is not ‘3’ 
and a kernel panic is detected, then the Count variable is increased by 2. Otherwise the 
Count variable is deleted. A non-existent Count variable is considered to have the value 
zero. The Status variable will not exist in the case that the target was booted to an OS 
other than Mac OSX 10.5 or to an EFI application such as Refit. 

The Limit variable may be set to override the limit on continuous cautious boots as 
follows: > nvram $(cat limit . guid) : $(cat limit . name) =%xx%xx%xx 

%xx, where limit . guid is the GUID of the Limit variable and limit . name is the 
name of the Limit variable as defined in section 3.1 and the value %xx%xx%xx%xx is a 
four byte hexadecimal number in little-endian byte order with the % character before each 
byte. For instance %O2%00%00%00 is the value 2. 

DarkSeaSkies is uninstalled during a boot in which the Count variable is greater than or 
equal to the Limit variable. DarkSeaSkies may be explicitly uninstalled by setting the 
Status variable to ‘5’ as follows: > nvram $(cat status . guid) : $(cat 
status . name)=5, where status, guid is the GUID of the Status variable and 
$status . name is the name of the Status variable as defined in section 3.1. The system 
must then be cleanly shutdown (not a kernel panic and not holding the power button 
down for ten seconds) so that the Status is written to NVRAM. On the next boot 
DarkSeaSkies will be un-installed. 

4.6 Assistance and Problem Reporting 

Contact NCS/IOC/EDG/AED/UDB for assistance. 

5. Additional Operational Procedures (Not Applicable) 

6. System Backup and Restore (Not Applicable) 

7. Troubleshooting 

In the event that the Configuration NVRAM variable becomes corrupted it can be deleted 
so that DarkSeaSkies will generate the default configuration. Delete the Configuration 
variable with the following command: 

> sudo nvram -d $(cat config . guid) :$(cat config . name). 

This should be followed by a reboot. 

8. Error Messages 

The only error message available in DarkSeaSkies is the Status NVRAM variable. See 
section 3.1 for more information. 
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9. Notes 


9.1 Acronyms/Abbreviations 

The Acronyms/ Abbreviations used in this document are shown in Table 9.1-1. 


Table 9.1-1 Acronyms/Abbreviations 


Acronym/ Abbreviation 

Term 

EFI 

Extensible Firmware Interface 

GUID 

Globally Unique Identifier 

LP 

Listening Post 

NVRAM 

Non-Volatile Random Access Memory 


9.2 Definitions 

Definitions of common terms used within this document may be found in the 
Engineering Development Group Program Management Lexicon. 


The terms and definitions unique to this document are shown in Table 9.2 -2. 

Table 9.2-2 Definitions 


Term 

Definition 
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